= keycloak =
Open Source Identity and Access Management.
 * https://www.keycloak.org/

== OIDC ==
 * https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Overview
OpenID Connect (OIDC) provides a simple identity layer on top of the OAuth 2.0 protocol, enabling Single Sign-On (SSO) and API access in one round trip. It brings the missing user authentication story and identity layer to OAuth.

== Steps setup realm ==
{{{#!highlight bash
cd /tmp
wget https://github.com/keycloak/keycloak/releases/download/14.0.0/keycloak-14.0.0.zip
unzip -t keycloak-14.0.0.zip
unzip keycloak-14.0.0.zip
cd ~/tmp/keycloak-14.0.0/bin
sh standalone.sh 
http://localhost:8080/auth
}}}

* http://localhost:8080/auth
Administration Console
User: admin 
Password: admin 
Password confirmation: admin 
Click on Create
 
http://localhost:8080/auth/admin/master/console/#/realms/master
login with admin:admin
http://localhost:8080/auth/admin/master/console/#/create/realm
Name: MyRealm
Enabled: On
Click on Create
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm

Go to Users
Click on Add user
Username: myuser
User enabled: ON
Save 
http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users

Select user myuser, 
Select credentials tab, 
Password: mypwd 
Password confirmation: mypwd, 
Temporary: off 
Click on "Set Password"

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/roles
http://localhost:8080/auth/admin/master/console/#/create/role/MyRealm
Add role USER to MyRealm
Role name: USER
Click on Save 

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/users
select user myuser 
select tab Role mappings
select user and click on add selected

Signout
http://localhost:8080/auth/realms/MyRealm/account/

http://localhost:8080/auth/admin/master/console/#/realms/MyRealm/clients
click on create 
client id: curl_confidential
client protocol: openid-connect
root url: http://localhost:8080
Click on save 

Clients Curl_confidential  settings: 
access-type: confidential
Should appear tab Credentials 
Client authenticator: Client ID and secret
Click on "Regenerate Secret"
# 3a862f1b-6687-4f7a-8e04-be494fca99e0

Clients Curl_confidential Mappers Add builtin "realm roles", "groups"
add selected 
For each map add "Add to userinfo"

Clients Curl_confidential Scope, 
select full scope allowed: ON

realm: MyRealm
user pwd: myuser mypwd
client id: curl_confidential
protocol: openid-connect
Curl_confidential  settings: 
access-type confidential
valid redirect url http://localhost:8080
tab credentials: regenerate secret 3a862f1b-6687-4f7a-8e04-be494fca99e0